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Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 


consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 


Q2 


Q3 


Does the draft guidance cover the relevant issues about the right of access? 
el 
No 
Unsure / don't know 
If no or unsure/don’t know, what other issues would you like to be covered in it? 


Does the draft guidance contain the right level of detail? 
No 
Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


Does the draft guidance contain enough examples? 
No 
Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be 
included in the draft guidance. 


pT 


Q4 


Q5 


Q6 


Q7 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


An employee makes a SAR to their employer for copies of their personal data 
contained in emails only. A search of their systems to find the emails took less than 
an hour, however this search returned 194,072 emails. In our view, it is highly 
unlikely that all of those emails contain the requestor’s personal data and therefore it 
would be excessive and unreasonable for the employer, given the amount of time 
and resource it would take, to have to review all those emails to search for the 


personal data within. It would save a lot of time and resource if the employer was to 
use reasonable efforts to search the personal data in the first place i.e. to carry out 
more focused searches, which would be more likely to return more relevant search 
results. 


On a scale of 1-5 how useful is the draft guidance? 
1-Notatall 2 — Slightly 4-Very 5-Extremely 
useful useful useful useful 


Why have you given this score? 


Most issues are covered. 


To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly 


Strongly Neither agree agree 


disagree Disagree nor disagree i= | 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


The guidance does not cover that it is an essential step of responding to a subject 
access request to review search results for information that is solely third party 
personal data (i.e. that is not mixed with the personal data of the requestor) and to 
redact this. 


In the ‘How do we decide what information to supply?’ section, the guidance states 
that search results ‘may’ contain third party data, and therefore ‘sometimes’ you 
need to consider each document or the content of each document separately. From 
experience, the results of a search for a requestor’s personal data always contain 
third party personal data and hence it is always necessary to review the content of 


the results prior to disclosure, often line by line, in order to redact third party 
personal data. 


We are of the view that the draft guidance does not appreciate that it is not carrying 
out the searches that organisations find burdensome, it is this necessary reviewing 
and redacting of the materials prior to disclosure that is the most time and resource 
consuming part of responding to a SAR. Organisations that are faced with a lot of 
requests spend a huge amount of time and resource on this part alone; some have 
small teams of 2 or 3 people who are fully occupied for weeks reviewing and 
redacting SAR materials, when this is only one aspect of their job role. 


Are you answering as: 


An individual acting in a private capacity (eg someone providing their views as a 
member of the public) 


An individual acting in a professional capacity 


Other 


Please specify the name of your organisation: 


Browne Jacobson LLP 


What sector are you from: 


Q10 How did you find out about this survey? 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 
as 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 


Other 
If other please specify: 


PR SOS 


Thank you for taking the time to complete the survey. 


